similar to: OpenSSH 1.2pre14 fails on pam_open_session() ...

On Mon, 22 Nov 1999, Philip Brown wrote: > [ Marc G. Fournier writes ] > > debug("PAM_retval(open_session) about to run"); > > pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > > > > > =========================================== > > > > so, its looking like I'm authenticated properly, but when trying to set up > > the

I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

Can't compile sshd.c because of pam errors. The errors are attached below, and I apologize for the >75 chars a line. RH4.2, with the latest updates, runs pam-0.57-5. I could upgrade PAM from source, but I'd probably break other programs. gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\"

Currently, OpenSSH prints the message: "Warning: You password has expired, please change it now" if the password has expired. It would be nice if the user could/had to change password before continuing, like with Linux console login. I've tried to make an patch, but it doesn't work. Ideas? --- auth-pam.c.org Wed Oct 11 18:03:43 2000 +++ auth-pam.c Wed Oct 11 18:03:44

Hi, There have been a bunch of useful submissions for the compare /contrast thread. To reduce the load on your mailbox, they are gathered here in one go... Roger. Date: Wed, 28 Oct 1998 15:11:37 +0000 From: "David L. Sifry" <dsifry@linuxcare.com> To: "Matthew S. Crocker" <matthew@crocker.com> CC: Rob Bringman <rob@trion.com>,

Hello, appended is a patch that makes it possible to use PAM both for password authentication and TIS (i.e. s/key or opie or any other interactive challenge/response scheme). I have developed this starting from the patch at http://www.debian.org/Bugs/db/61/61906.html on Debian with openssh-2.1.1p4-3. After configuring ssh with --with-pam-tis, there are two PAM services, "sshd" and

A few things to keep in mind: - kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during kbd-int so that modules in each of those PAM stacks can prompt the user (pam_open_session(), for example, may prompt a user with an informational message akin to the last login message) - all userauth methods should

Hello, all- Apparently, under Solaris (I can personally confirm SunOS 5.7 and 5.8), pam_open_session will generate a segfault if PAM_TTY is not set. The obvious symptom of this is that OpenSSH 2.9.9p2 will segfault on any operation that does not request a tty (do_exec_no_pty). Based on a quick google search, this seems to have been encountered by others, though the specific symptoms seem to

I was browsing the OpenSSH sources (which are very readable, thankyou very much) and noticed that PAM was only being told what host the user is logging in from for account processing - not for password processing. As I can see no reason not to put this in start_pam this is exactly what I have done - and attached a patch to this effect. This allows PAM to fill in rhost= in its audit messages

On Tue, 1 Feb 2005, it was written: > Nicolas Lopez wrote: > > maildir and most of my accounts in LDAP. Since the accounts are created > > through a web interface on another server home directories on the mail > > server don't get created automatically. There's the handy pam module > > pam_mkhomedir.so to automagically create home directories, but >

Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@

Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on. Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector. Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk" Jul 3

to improve forensic log info i want to set the PAM_RHOST value to the remote ip (which pam logs as rhost=foo in failure messages). i didn't look to see if anything has been done in this way on CVS because i'm still on 0.99.10.6. below is a bit of a hack. in some sense the remote_ip might make more sense in the AUTH_LOGIN_REQUEST_NEW packet rather than the continue packet... but that

http://bugzilla.mindrot.org/show_bug.cgi?id=419 Summary: HP-UX PAM problems with 3.5p1 Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:

-----BEGIN PGP SIGNED MESSAGE----- Hi, I''ve got several replies, thank you for them. Let me summarize: o Many people say there is a PAMified version of ssh available at ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source) ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries) (there are analogous paths for the other architectures). The packages are made by Jan

Hi Everybody, We are upgrading to samba-3.0.2a with SEAM kerberos and iPlanet Directory ldap server support. All the three servers runs in three different physical solaris machies. We are able to connect the samba and ldap. We are trying with security=user option in samba . For kerberos support, we thought of a solution of authentication via pam -pamkrb5 module. but samba fails for a

While configuring my server with dovecot I noticed that the PAM authentication driver does not support the username_format option as does the password file driver. This didn't seem too hard to implement so I through together a patch. As you can see in the attached patch I only modify the username sent to PAM. Despit doing this I run into the domain lost

Just tried out ssh in pre13, and still get the EGD problem? :( new-relay:/usr/slocal/src/openssh-1.2pre13> ./ssh -l marc atelier The authenticity of host 'atelier.acadiau.ca' can't be established. Key fingerprint is 1024 ef:36:b5:f8:a3:bb:14:4d:a9:4b:f2:90:9a:bd:bb:00. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added

Hi All. Attached is a patch that implements password expiry with PAM and privsep. It works by passing a descriptor to the tty to the monitor, which sets up a child with that tty as stdin/stdout/stderr, then runs chauthtok(). No setuid helpers. I used some parts of Michael Steffens' patch (bugid #423) to make it work on HP-UX. It's still rough but it works. Tested on Solaris 8 and